Windows 11 dual boot: re-enable secure boot will it work?

tl;dr: Linux noob wants to dual boot Linux. Disabled secure boot and bitlocker on windows in order to boot from USB. Now wants to re-enable secure boot, while still being able to boot into Linux. Possible/impossible with any distro?

I’m a complete Linux noob, and been primarily a windows user since forever. The only Linux experience that I have is a repurposed old (2008-ish) mac mini where I put on Ubuntu to serve as a media center in my living room, and I have used WSL to run some Docker containers (without installing a specific distro).
However, as a developer and ict-teacher, I thought it was about time that I started using Linux. So I got the idea to dual boot my new laptop (asus flow-x13 / Win10), and try to use Linux as my main system for all my work-related stuff.
While reading up on different distros and DEs, I often got the suggestion to create a bootable USB drive using something like Rufus, try it out, and proceed to install if I like it. I also created a partition on my laptop drive to install Linux onto.

Here is how that went: (too detailed? can be useful for other noobs such as myself?)

The first distro I wanted to try is Manjaro/Gnome or Manjaro/KDE. So I downloaded the minimal ISO file for Manjaro/Gnome, put in a 4GB usb stick and ran Rufus. This created a bootable USB.

I then went to my laptops uefi, changed the boot order, put in the usb stick and rebooted. This gave me the following error:

Secure boot violation
Invalid signature detected. Check secure boot policy in setup

Alright, easy enough, I’ll disable secure boot. Into uefi > advanced > security > secure boot > disable.

Now I get a Bitlocker-recovery recovery screen. Looked it up, apparently I should disable bitlocker first, then disable secure boot, then I should be able to boot from usb.

So I restored my uefi settings, restarted and then

  1. disabled device encryption in Win10
  2. restarted into the uefi
  3. disabled secure boot from the uefi > advanced
  4. changed the boot order back to the usb stick
  5. saved uefi settings and restarted

And now… hooray! I booted into the Manjaro USB stick! After this I installed Manjaro to the partition, restarted, and then it got stuck on the following message:

failed to start load/save backlight brightness of backlight:acpi_video0.

After a lot of Googling around (btw, I don’t know how I would have managed without a second system at hand), I tried the following:

  1. ctrl+alt+f3 to get into terminal
  2. used command sudo nano /etc/default/grub to edit the grub file
  3. added the line systemd.restore_state=0 at the end of the file
  4. reboot

Now it boots into manjaro, I get to choose between partitions on startup, everything seems to be working fine.

Not a great installation experience, but I do recognize that some of these troubles were probably a MS-created issue.

Problem is that I want to upgrade to Win11, as this is the system all my colleagues and students will be using. But that requires secure boot to be enabled.

Long story short: can I enable secure boot again? I’ve read a lot of conflicting messages that Manjaro may or may not work with secure boot enabled.
And if Manjaro doesn’t work with secure boot, are there any other distros that will work with secure boot enabled?

Assuming nothing substantial has changed with Windows 11 then this should be doable. (Note, I haven’t any first hand experience with W11)

The problem isn’t Manjaro per say, but your UEFI boot loader. Basically, UEFI stores a set of keys and will not boot a system if the EFI boot loader is not signed by one of those keys. By default they usually store MS keys only. So once you turn on secure boot the Windows 11 bootloader will work, but the system will refuse to load the Manjaro boot loader.

Getting a new set of keys and signing the Manjaro bootloader used to be a pain, but its now (relatively) easy. I actually manages to switch my Manjaro installation to a fully encrypted Secure Boot + TPM supported Full Disk Encryption setup. But I had to replace the key database with my own.

What you will need to do is find a way to sign the Manjaro boot loader without overwriting the MS key so that the both boot loaders and loaded by a valid key. I believe you will need to use something like a preloader.

I would start by checking out this wiki page: Unified Extensible Firmware Interface/Secure Boot - ArchWiki

Please use the search function.

Manjaro does not support secure boot.

The concern about Windows 11 has been discussed before and a comprehensive guide on dual-booting Manjaro and Windows can also be found.